Linux researcher and developer says 'there are bugs in your kernel right now that won't be found for years. I know because I analyzed 125,183 of them'
Linux is a beautiful thing. From a completely open-source base, we have probably ten quintillion different distros that treat us like adults, capable of actually owning, controlling, and tinkering with our software. Including, of course, recent boons for gaming such as SteamOS, Bazzite, and Nobara. But that very same free and open foundation might also bring with it some hurdles, such as longstanding bugs.
Researcher and developer Jenny Guanni Qu recently looked at the Linux kernel's bug fixes and found tons of them stick around for a very long time. As someone who feels the allure of Linux distributions and occasionally succumbs to it before quickly scarpering back to Windows when confronted with bugs—usually small and irksome ones, but occasionally catastrophic—this information does not help me. So if you're the same as me: you're welcome.
Qu built a tool to filter through Linux kernel changes and used it to filter for every fix since 2005. "Six hours later, I had 125,183 vulnerability records." Looking at these fixes, she found that the average lifetime of a bug, ie, a bug existing and potentially causing problems for users, was 2.1 years over the 20-year time frame. And 13% of those bugs had been around for five years or more before being fixed.
If we look at just the bugs that were fixed in 2025, that share increases to 20% of said bugs being around for five years or more, but this is because of a peculiar way the stats can get skewed by taking such a small snapshot. In fact, Qu says, "bugs introduced in recent years appear to get fixed much faster.."
Qu's entire investigation acts as a bit of a warning to make sure you're doing good statistics. For instance, they explain: "Bugs introduced in 2010 took nearly 10 years to find and bugs introduced in 2024 are found in 5 months. At first glance it looks like a 20x improvement! But here's the catch: this data is right-censored. Bugs introduced in 2022 can't have a 10-year lifetime yet since we're only in 2026. We might find more 2022 bugs in 2030 that bring the average up."
Instead, if we compare the stats that actually matter and make sense, we are improving: "We're simultaneously catching new bugs faster AND slowly working through ~5,400 ancient bugs that have been hiding for over 5 years."
It's not all the same across the board, of course: some kinds of bugs are fixed faster than others. Networking bugs tend to take longer, and GPU bugs are quicker. There are also certain kinds of bugs that take much longer than others to spot and fix, but which are to be expected, for instance "race-condition" ones that are "non-deterministic and only trigger under specific timing conditions that might occur once per million executions."
Catch up with CES 2026: We're on the ground in sunny Las Vegas covering all the latest announcements from some of the biggest names in tech, including Nvidia, AMD, Intel, Asus, Razer, MSI and more.
In general, the less a bug is triggered and the fewer eyes reviewing its codebase, the longer it'll take to be spotted and fixed. Burrowing in more specifically, for anyone interested, these longstanding bugs tend to involve a few causes: "reference counting errors", "missing NULL checks after dereference", "integer overflow in size calculations", and "race conditions in state machines."
Really, though, zooming out again, they're often just bugs that operate under quite rare circumstances. Qu gives an example of one of the oldest networking bugs they spotted, which spent 19 years unfixed. That stuck around for so long because it only occurred when running a specific test sequence for a specific length of time, and "nobody ran that specific test sequence for two decades."
All of this is presented as a reason to consider the researcher's VulnBERT AI model, "a model that predicts whether a commit introduces a vulnerability." Apparently, "of all actual bug-introducing commits, we catch 92.2%."
Which will be great for those checking through Linux kernel git commits, of course. But for me, as a plain ol' end-user—and at the completely unintentional risk of annoying our Linux readers who will undoubtedly point out just how bad Windows is for bugs—it's just more fuel to my Linux trepidation.